Detections
Analytics

6.1.2 (L1) Ensure mailbox audit actions are configured

Information

Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.

Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.

The recommended state per mailbox is AuditEnabled to True including all default audit actions with additional actions outlined below in the audit and remediation sections.

Note: Audit (Standard) licensing allows for up to 180 days log retention as of October 2023.

Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.

The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.

 - Resource Mailboxes
 - Public Folder Mailboxes
 - DiscoverySearch Mailbox

Solution

For each UserMailbox ensure AuditEnabled is True and the following audit actions are included

in addition

to default actions of each sign-in type.

 - Admin actions: Copy FolderBind and Move
 - Delegate actions: FolderBind and Move
 - Owner actions: Create MailboxLogin and Move

Note: The defaults can be found in the Default Value section and the combined total can be found in the scripts of the Audit/Remediation sections.

To remediate using PowerShell:

 - Connect to Exchange Online using Connect-ExchangeOnline
 - Run the following PowerShell script to remediate every 'UserMailbox' in the organization:

$AuditAdmin = @(
 "ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete",
 "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs",
 "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation",
 "UpdateFolderPermissions", "UpdateInboxRules"
)

$AuditDelegate = @(
 "ApplyRecord", "Create", "FolderBind", "HardDelete", "Move",
 "MailItemsAccessed", "MoveToDeletedItems", "SendAs", "SendOnBehalf",
 "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules"
)

$AuditOwner = @(
 "ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move",
 "MailItemsAccessed", "MoveToDeletedItems", "Send", "SoftDelete", "Update",
 "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules"
)

$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq "UserMailbox" }
$MBX | Set-Mailbox -AuditEnabled $true `
-AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate `
-AuditOwner $AuditOwner <xhtml:ol start="3"> - The script will apply the prescribed Audit Actions for each sign-in type (Owner, Delegate, Admin) and the AuditLogAgeLimit to each UserMailbox in the organization.

Note: Mailboxes with Audit (Premium) licenses, which is included with E5, can retain audit logs beyond 180 days.

Impact:

Adding additional audit action types and increasing the AuditLogAgeLimit from 90 to 180 days will have a limited impact on mailbox storage. Mailbox audit log records are stored in a subfolder (named Audits) in the Recoverable Items folder in each user's mailbox.

 - Mailbox audit records count against the storage quota of the Recoverable Items folder.
 - Mailbox audit records also count against the folder limit for the Recoverable Items folder. A maximum of 3 million items (audit records) can be stored in the Audits subfolder.

The following cmdlet in Exchange Online PowerShell can be run to display the size and number of items in the Audits subfolder in the Recoverable Items folder:

Get-MailboxFolderStatistics -Identity <MailboxIdentity> -FolderScope RecoverableItems |
 Where-Object {$_.Name -eq 'Audits'} | Format-List FolderPath,FolderSize,ItemsInFolder

Note: It's unlikely that mailbox auditing on by default impacts the storage quota or the folder limit for the Recoverable Items folder.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: microsoft_azure

Control ID: 7d6a12078ae4aeeb1fc66e9400014eeed35008b77bcf5070fe75a51e1b80b9e2